GDPR-compliant: manage personnel data digitally

The EU’s new General Data Protection Regulation (GDPR) came into force on May 25, 2018. This means that, for the first time, uniform data protection guidelines are now binding throughout Europe and must be observed by companies and organizations. The 99 paragraphs of the GDPR primarily regulate how personal data may or may not be processed. For companies, this affects how they handle the data of their business partners – be they suppliers, cooperation partners or customers. On the other hand, the regulation also affects the data of a company’s employees.

The amendment to the GDPR results in new obligations for employers and additional rights for employees. In principle, the possibilities for processing the personal data of employees and applicants have been restricted. The most important aspect here is that personal data may only be processed with the consent of the data subject and only if the processing is necessary for the fulfillment of the contract. The employer is responsible for compliance with these obligations.

WEBINAR

Why digital document management?

Find out how you can shorten throughput times and bring more transparency to your workflows and processes!

Obligations for employers, rights for employees

In detail, the following obligations for employers and rights for employees can be named:

An employee must be informed of the name and contact details of the controller at the time personal data is collected and stored. The controller may be a natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data. The employee must also be informed about the purpose and duration of the collection and storage, about their right to information, objection and complaint and about the legal basis for the processing of the data. The employee must be informed who the recipients of the data are and who the data protection officer is – including the relevant contact details.
An employee has the right to inspect his or her personnel file and have incorrect data corrected.
In addition, an employee is permitted to submit written declarations on the content of the personnel file. These declarations must be added to the file at the employee’s request. In addition, the employee may complete their personal data. Personal declarations by the employee are also permitted for appraisals and warnings. However, they must relate to the original documents.
As soon as personal data is no longer required for the purpose for which it was collected, it must be deleted immediately. The data must also be deleted if it has been processed unlawfully by the employer or if the employee revokes their permission for processing or objects to the processing.
As soon as personal data is no longer required for the purpose for which it was collected, it must be deleted immediately. The data must also be deleted if it has been processed unlawfully by the employer or if the employee revokes their permission for processing or objects to the processing.
More specific regulations can be defined through company agreements, whereby the requirements of the GDPR represent the minimum requirement.

Electronic personnel file ensures GDPR compliance

Of course, these data protection requirements always apply – regardless of whether personal data is available on paper or digitally. It is important to note that certain documents – such as notices of termination or termination agreements – must still be physically available as proof of validity in accordance with Section 623 of the German Civil Code. For most documents, however, it is sufficient if they are available digitally in an electronic personnel file.

And in view of the new GDPR, there is a lot to be said for this option. Because it makes it easier to comply with the rules.

Access to personal data can be controlled via a multi-level authorization concept, which ensures access protection in accordance with section 24 of the GDPR. With such a digital authorization concept, it can be ensured, for example, that superiors only receive the information they need for management purposes – but cannot view data on illnesses, for example. Complying with the access protection requirements for a paper-based personnel file is much more difficult and involves more effort.
This ensures a high level of audit security and traceability, as all access and changes to the electronic personnel file are logged.
Automated reminders remind you of upcoming tasks.
Notifications draw attention to the expiry of retention periods for certain documents. The documents marked accordingly can be deleted automatically or according to the dual control principle after the retention period has expired.

So there is a lot to be said for an electronic personnel file. However, the prerequisite is that the IT solution used actually provides the necessary functions – in other words, that an adequate authorization concept can be implemented and that documents are reliably deleted after the defined period has expired. It is also important that there is comprehensive access control for the IT infrastructure in the HR department.